23 Čec
2021
23 Čec
'21
17:57
Hi Vladimir
I tried switching to the ED25519 algorithm, but then home users could no
longer resolve anything in the zone because the resolvers are too
old/incomplete.
So, to stay resolvable I was hoping to work around that with two
algorithms.
Partially hoping with the zone using the newer algorithm over time more
resolvers would be upgraded.
Like with TLS 1.3 more clients will support it if most servers have it
already enabled by default.
Cheers,
Stefan
Am Fr., 23. Juli 2021 um 16:28 Uhr schrieb Vladimír Čunát <
vladimir.cunat(a)nic.cz>gt;:
Hello.
On 23/07/2021 16.13, Schindler, Stefan wrote:
Because for some reason a lot of ISP resolvers
support RSA only while
I would like to future-proof my zone with ED25519 at the same time.
As the current DNSSEC standards go, I think it's normally not worth
using two algorithms at once on a single zone (except temporarily when
changing from one to another). Validators will succeed when validation
with *any* of the algorithms succeeds. Therefore adding a stronger algo
won't make the result stronger (attackers can choose which one to
compromise) - at least until the weaker algo gets (commonly) considered
as insecure.
Weirdly enough, DNSSEC validators do not do that even with short RSAs -
one problem is that standardized (non-)support mechanism is independent
of key length. That's OK for the new fixed-length algos but not so much
for RSA.
--Vladimir | knot-resolver.cz